New Phishing Attacks Use Mandiant Report as Bait
Two different attacks claim to offer a PDF of the report, but deliver malware instead.
Following Mandiant's recent release of a report examining alleged cyber attacks by the Chinese military, Symantec's Joji Hamada is warning that targeted attacks have begun using the report itself as bait -- and Seculert researchers are also warning of a second version of the attack.
"The email purports to be from someone in the media recommending the report. ... When the fake report, which Symantec detects as Trojan.Pidief, is opened, a blank PDF is shown but in the background exploit code for Adobe Acrobat and Reader Remote Code Execution Vulnerability (CVE-2013-0641) is executed," Hamada writes. "From our analysis, the exploit fails to drop any malware onto the computer. It is worth noting that there may potentially be other variants that are successful in dropping malware."
"The second attack (hat tip to Brandon Dixon for the MD5s) seems to be targeting Chinese journalists," Seculert reports. "The attachment file name is 'Mandiant_APT2_Report.pdf.'"
"According to an analysis of the PDF file by researcher Brandon Dixon of security consultancy firm 9b+, the document exploits an older Adobe Reader vulnerability that was discovered and patched in 2011," writes Computerworld's Lucian Constantin. "The malware installed on the system establishes a connection to a domain that currently points to a server in China, Dixon said via email. 'The malware provides attackers with the ability to execute commands on the victim's system.'"
"It's not very often that an information security lure is used in targeted emails, but that speaks to how widely talked-about the Mandiant report has been this week," writes SC Magazine's Dan Kaplan.